When it Rains it Pours: DNS Floods

DNS servers are the backbone of client-server communication on the Internet. They are a fundamental aspect of how we get around in cyberspace, and how other entities can find us. Since DNS servers have so much power and access across the Internet, it should come as no surprise that hackers have found a way to manipulate them to cause harm – specifically, to launch our devastating Distributed Denial of Service (DDoS).

The Internet’s Directory

Think of DNS servers as part of a big Internet phonebook that holds all the addresses and alternate names for each website. They maintain the hierarchy of domain names and IP addresses with a system of primary and backup servers. The DNS ecosystem allows people and machines to locate other websites with ease.

DNS servers must carry vast amounts of information and they must have the proper infrastructure or ‘pipes’ to facilitate the transport of data to and from their domains.

Recently, the cyber security community has seen a huge upswing in DNS Floods; or in other words, hijacking these large ‘pipes’ to perform DDoS attacks on innocent websites.

DNS Flood Attacks

In May, DDoS protection service provided Incapsula encountered a massive DNS Flood hitting one of their clients. The attack reached a plateau of over 1.5 billion packet requests per minute.

Incapsula’s team evaluated the malicious packets and determined they were originating from two large anti-DDoS services—one from Canada and one from China.

Although anti-DDoS services may sound like unlikely facilitators of a DDoS attack, it is actually not surprising considering the huge traffic capabilities that anti-DDoS networks possess. Not to mention, most security services tend to be preoccupied with traffic entering their network than traffic leaving.

Once Incapsula realized they were dealing with DNS Flood, they alerted the two anti-DDoS services that they were compromised. Shortly thereafter, the two service providers cast off the culprits from their networks.

This notable attack is not an isolated incident in the cyber security community. DNS Flood DDoS has spiked over the last few months, putting websites both big and small at risk. This DDoS technique is trendy amongst hackers for a few reasons.

Unlike DNS Amplification attacks, DNS Floods aim to exhaust CPU, memory, and other server resources. Causing damage to these assets is more harmful than network flooding because these assets are more fundamental components of a website’s functionality.

Additionally, DNS Floods have an advantage in stealth. They cannot be filtered at the network level without interrupting normal traffic flow. These malicious packets seem ‘legitimate’ until they can be inspected at the server level. At this stage, without a sophisticated DDoS protection service at your disposal, your website would already be sunk.

Protecting Your Website from DNS Flood

After examining the current cyber security trends, it appears DNS Flood DDoS is here to stay. As with all issues involving cyber security, being aware of the dangers in the internet landscape is important, but in the case of DNS flood knowledge is not exactly power. It is highly recommended to have 3rd-party security services guarding your servers and networks so you don’t become the victim, or the perpetrator, of DNS Flood.